Fix Use after free when copying cipher ctx

Fixes #10438 issue found by clusterfuzz/ossfuzz The dest was getting a copy of the src structure which contained a pointer that should point to an offset inside itself - because of the copy it was pointing to the original structure. The setup for a ctx is mainly done by the initkey method in the PROV_CIPHER_HW structure. Because of this it makes sense that the structure should also contain a copyctx method that is use to resolve any pointers that need to be setup. A dup_ctx has been added to the cipher_enc tests in evp_test. It does a dup after setup and then frees the original ctx. This detects any floating pointers in the duplicated context that were pointing back to the freed ctx. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10443)
author: Shane Lontis <shane.lontis@oracle.com> 2019-11-18 13:13:05 +1000
committer: Shane Lontis <shane.lontis@oracle.com> 2019-11-18 13:13:05 +1000
commit: f75abcc0f073b1c3e2d81df3fcde8fe45dd1e61f (patch)
tree: 9e55a53ddf04b053cc081fbe0c9e8244a13b5f22 /providers/common
parent: de0799b0fc845869d775520382b4e7f9995732e5 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/providers/common/include/prov/ciphercommon.h b/providers/common/include/prov/ciphercommon.h
index 2f77f48712..c9b0034017 100644
--- a/providers/common/include/prov/ciphercommon.h
+++ b/providers/common/include/prov/ciphercommon.h
@@ -68,6 +68,7 @@ struct prov_cipher_ctx_st {
 struct prov_cipher_hw_st {
     int (*init)(PROV_CIPHER_CTX *dat, const uint8_t *key, size_t keylen);
     PROV_CIPHER_HW_FN *cipher;
+    void (*copyctx)(PROV_CIPHER_CTX *dst, const PROV_CIPHER_CTX *src);
 };
 
 OSSL_OP_cipher_encrypt_init_fn cipher_generic_einit;
@@ -233,6 +234,16 @@ static int cipher_hw_##NAME##_##MODE##_cipher(PROV_CIPHER_CTX *ctx,            \
     return 1;                                                                  \
 }
 
+#define IMPLEMENT_CIPHER_HW_COPYCTX(name, CTX_TYPE)                            \
+static void name(PROV_CIPHER_CTX *dst, const PROV_CIPHER_CTX *src)             \
+{                                                                              \
+    CTX_TYPE *sctx = (CTX_TYPE *)src;                                          \
+    CTX_TYPE *dctx = (CTX_TYPE *)dst;                                          \
+                                                                               \
+    *dctx = *sctx;                                                             \
+    dst->ks = &dctx->ks.ks;                                                    \
+}
+
 #define CIPHER_DEFAULT_GETTABLE_CTX_PARAMS_START(name)                         \
 static const OSSL_PARAM name##_known_gettable_ctx_params[] = {                 \
     OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_KEYLEN, NULL),                         \
author	Shane Lontis <shane.lontis@oracle.com>	2019-11-18 13:13:05 +1000
committer	Shane Lontis <shane.lontis@oracle.com>	2019-11-18 13:13:05 +1000
commit	f75abcc0f073b1c3e2d81df3fcde8fe45dd1e61f (patch)
tree	9e55a53ddf04b053cc081fbe0c9e8244a13b5f22 /providers/common
parent	de0799b0fc845869d775520382b4e7f9995732e5 (diff)